Handling identifier validation

ABSTRACT

A network function performs a method to identify an invalid subscription concealed identifier, SUCI. When the network function receives a message containing a SUCI, it determines a size of the SUCI contained in the received message, and also determines an expected size of the SUCI in the received message. The network function then determines whether the size of the SUCI contained in the received message satisfies a criterion associated with the expected size. If the size of the SUCI contained in the received message does not satisfy the criterion associated with the expected size, the network function determines that the SUCI in the received message is invalid, and it rejects the SUCI in the received message if it is determined to be invalid.

RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.16/343,867, filed 22 Apr. 2019, which was the National Stage ofInternational Application No. PCT/EP2018/086416, filed 20 Dec. 2018,which claims the benefit of U.S. Provisional Application No. 62/616,574,filed 12 Jan. 2018. The disclosure of Ser. No. 16/343,867 andPCT/EP2018/086416 are incorporated herein by reference in theirentirety.

BACKGROUND

The present disclosure relates generally to the use and validation of anidentifier.

Generally, all terms used herein are to be interpreted according totheir ordinary meaning in the relevant technical field, unless adifferent meaning is clearly given and/or is implied from the context inwhich it is used. All references to a/an/the element, apparatus,component, means, step, etc. are to be interpreted openly as referringto at least one instance of the element, apparatus, component, means,step, etc., unless explicitly stated otherwise. The steps of any methodsdisclosed herein do not have to be performed in the exact orderdisclosed, unless a step is explicitly described as following orpreceding another step and/or where it is implicit that a step mustfollow or precede another step. Any feature of any of the embodimentsdisclosed herein may be applied to any other embodiment, whereverappropriate. Likewise, any advantage of any of the embodiments may applyto any other embodiments, and vice versa. Other objectives, features andadvantages of the enclosed embodiments will be apparent from thefollowing description.

5G is a next generation of mobile networks developed by a standardsdeveloping organization called the 3GPP. The earlier generations ofmobile networks were called 4G/LTE, 3G/UMTS, and 2G/GSM. A 5G network ismaintained and its services are offered by the so-called Mobile NetworkOperators (MNOs). MNOs are distinguishable from each other by two typesof codes, namely the Mobile Country Code (MCC) and the Mobile NetworkCode (MNC). In order to use a particular 5G network offered by aparticular MNO, users are required to have a sort of contractualrelationship with that MNO, that relationship being generally called thesubscription. Each subscription in a MNO's 5G network is identified by aunique long-term identifier called the Subscription Permanent Identifier(SUPI). Users wirelessly access a 5G network over-the-air using awireless device known as User Equipment (UE). Before providing anyservice, a 5G network needs to identify a user, i.e., the user'ssubscription, behind a UE. For this purpose of identification, UEs inearlier generation of mobile networks (4G, 3G, and 2G) used to sendusers' unique long-term identifier over-the-air. This was considered aprivacy issue because users could be tracked or identified by anyunauthorized entity capable of intercepting message or acting asman-in-the-middle over-the-air. However, in a 5G network, an MNO has anability to offer better privacy to its users so that their uniquelong-term identifiers (i.e., SUPIs) are not visible over-the-air. Thatability comes from a mechanism in which UEs, instead of sending SUPIs,calculate and send concealed a identifier over-the-air, which is calledthe Subscription Concealed Identifier (SUCI).

The calculation of SUCI actually means the UE encrypting the SUPI and isdone before the SUCI is transferred over-the-air between the UE and the5G network. The encryption is of asymmetric type and uses the MNO'spublic key (denoted HN public key, HN meaning home network). There couldbe multiple ways of doing the asymmetric encryption of the SUPI forcalculating the SUCI, these ways denoted as encryption schemes. Someexample of the encryption schemes are EIGamal encryption scheme, RSAencryption, and Elliptic Curve Integrated Encryption Scheme (ECIES),There could also be multiple variants of the same encryption scheme,e.g., different elliptic curves could be used with an ECIES encryptionscheme like SECP256R1, SECP384R1, and CURVE25519. Multiple variants ofthe same encryption schemes are treated as separate encryptions schemes.Therefore the above mentioned examples of the encryption schemes areEIGamal encryption scheme, RSA encryption, ECIES-SECP256R1,ECIES-SECP384R1, and ECIES-CURVE25519.

These encryption schemes could either be standardized, say by the 3GPP,or be proprietary, decided by each MNO on its own. On one hand, theadvantage of standardized encryption schemes is that those encryptionscheme becomes publicly available or known, which increasesinter-operability, e.g., all UE vendors could support the standardizedschemes. On the other hand, the advantage of proprietary encryptionschemes is that each MNO can independently choose and use any encryptionscheme suitable to its operational efficiency, security and privacyofferings, or regulatory requirements.

FIG. 1 is a high level sequence diagram showing the message flow for UERegistration using SUCI.

In Step 101, the UE connects to a gNB over-the-air (the gNB being a 5Gbase station and part of the 5G Radio Access Network (RAN)) and sends aRegistration Request message which comprises a SUCI calculated by theUE. In Step 102, the gNB forwards the received Registration Requestmessage to a core network node. We denote that core network node as anAccess and Mobility Management Function (AMF) or Security AnchorFunction (SEAF) interchangeably. The gNB and AMF/SEAF are collectivelydenoted as the Serving Network (SN). The SEAF further locates theAuthentication Server Function (AUSF). The SEAF then creates and sendsto the AUSF in Step 103 a 5G Authentication Information Request (AIR)that among other information contains the received SUCI. The AUSF thencontacts the Unified Data Management (UDM) or Subscription IdentifierDe-concealing Function (SIDF) function in Step 104. The AUSF andUDFM/SIDF are collectively denoted as the Home Network (HN).

Note that the in case of roaming the SN and the HN belong to differentMNOs while otherwise both the SN and HN belong to the same MNO.

Note that registration involves more steps than these messages but thisgives an overview of how the SUCI travels over the network.

There currently exist certain challenge(s). In 5G, the calculation ofSUCI could be done using one of multiple encryption schemes. When anetwork function (or network node, used interchangeably) in a 5G networkreceives a SUCI (from a UE or from another network function) it becomeschallenging for the receiver network function to determine if thereceived SUCI is valid or not.

SUMMARY

Certain aspects of the present disclosure and their embodiments mayprovide solutions to these or other challenges. Specifically, there isdisclosed a mechanism that enables a network function to determine thevalidity of a received SUCI.

There are, proposed herein, various embodiments which address one ormore of the issues disclosed herein.

According to one embodiment, there is provided a method performed by anetwork function to identify an invalid subscription concealedidentifier, SUCI, the method comprising:

receiving a message containing a SUCI;

determining a size of the SUCI contained in the received message;

determining an expected size of the SUCI in the received message;

determining whether the size of the SUCI contained in the receivedmessage satisfies a criterion associated with the expected size;

determining that the SUCI in the received message is invalid if the sizeof the SUCI contained in the received message does not satisfy thecriterion associated with the expected size; and

rejecting the SUCI in the received message if it is determined to beinvalid.

According to another embodiment, there is provided a method performed bya wireless device for calculating a subscription concealed identifier,SUCI, the method comprising:

receiving a message indicating a criterion associated with a size of aSUCI;

calculating the SUCI based on an encryption scheme;

determining whether the calculated SUCI satisfies the criterionassociated with the size of the SUCI; and

using the calculated SUCI only if it is determined that it satisfies thecriterion associated with the size of the SUCI.

According to further embodiments, there are provided computer programsfor causing a suitably processor to perform the methods according to theprevious embodiments.

In addition, there are provided computer program products, containingthe respective computer programs. For example, the computer programproducts may comprise computer readable media containing the computerprograms. The computer readable media may comprise tangible media.

Certain embodiments may provide an effective and efficient mechanismthat enables network functions to determine if a received SUCI is validor not. The effectiveness comes from being able to confirm if any SUCIis definitely invalid. The efficiency comes from being able to discardinvalid SUCI early and with minimal processing. Consequently, robustnessof network functions could be increased.

BRIEF DESCRIPTION OF THE DRAWINGS

Some of the embodiments contemplated herein will now be described morefully with reference to the accompanying drawings. Other embodiments,however, are contained within the scope of the subject matter disclosedherein, the disclosed subject matter should not be construed as limitedto only the embodiments set forth herein; rather, these embodiments areprovided by way of example to convey the scope of the subject matter tothose skilled in the art.

FIG. 1 is a signaling diagram, showing a UE Registration process.

FIG. 2 is a flow chart, illustrating a method according to thisdisclosure.

FIG. 3 illustrates a communication network, including network nodes andwireless devices.

FIG. 4 illustrates in more detail a form of a wireless device.

FIG. 5 illustrates in more detail a form of a network node.

FIG. 6 is a flow chart, illustrating a first method.

FIG. 7 illustrates a form of a wireless device for performing the firstmethod.

FIG. 8 is a flow chart, illustrating a second method.

FIG. 9 illustrates a form of a network node for performing the secondmethod.

DETAILED DESCRIPTION

In a 5G network, the UE calculates the SUCI using one of multipleencryption schemes. The UE sends the calculated SUCI to the 5G network.The gNB is the first network function which receives the SUCI. The gNBfurther transfers the received SUCI to the SEAF. The SEAF furthertransfers the received SUCI to the UDM. As such and as mentionedearlier, when a network function (or network node, used interchangeably)receives a SUCI, it becomes a challenge for the receiver networkfunction to determine if the received SUCI is valid or not. Moreconcretely, it becomes a challenge for the gNB, SEAF, and UDM todetermine if the received SUCI is valid or not.

One potential solution to address the said challenge is that both the UEand the 5G network agree beforehand on mutual identification of theencryption scheme that the UE would use when calculating the SUCI. Thismutual identification could be done by an identifier called theencryption scheme identifier. The actual mechanism by which the UE andthe 5G network become able to mutually agree or share the encryptionscheme identifier is out of the scope, and is therefore not discussedexcept than mentioning that HNs could use mechanisms such as theso-called over-the-air (OTA) provisioning. The standardized encryptionschemes could have correspondingly standardized encryption schemeidentifiers, e.g., if ECIES encryption is standardized, then sayECIES-SECP256R1 is identified with encryption scheme identifier 1, andECIES-SECP384R1 is identified with encryption scheme identifier 2.Similarly, the proprietary encryption schemes could have correspondinglyproprietary encryption scheme identifiers, e.g., if RAS encryption ischosen by a MNO, then that MNO can choose some number of its choice, say99 as encryption scheme identifier. The UE would then send to the 5Gnetwork, the SUCI comprising the encryption scheme identifier that itused to calculate the SUCI. The network functions could inspect thereceived encryption scheme identifier and determine if the received SUCIis valid or not.

While the above solution works, there are still other aspects that needconsideration. One aspect is that the said encryption scheme identifieris not technically bound to the actual encryption scheme that the UEused to calculate the SUCI. While a genuine and well-behaving UE wouldsend the correct encryption scheme identifier corresponding to theactual encryption scheme used, the same cannot be said for a fraudulentor misbehaving UE. This is true for both the standardized and theproprietary encryption schemes and encryption scheme identifiers.Another aspect is that, for proprietary encryption schemes, determiningand assigning the corresponding encryption scheme identifier isgenerally in the merit of the HN and is made available to the UE. Since,the SN (comprising gNB and SEAF) is transferring the SUCI to the HN, theproprietary encryption scheme identifiers are not made available to theSN. Therefore, the SN does not know which encryption scheme was used bythe UE for calculation of the SUCI when the encryption scheme identifieris a non-standardized or proprietary value.

One consequence of the above mentioned aspects is that an invalid SUCIwould only be detected after the HN tried and failed to decrypt thereceived SUCI. As we see from FIG. 1 , this happens very late in theprocess and therefore an invalid SUCI would result in waste of resourcesof all nodes up to the HN. Additionally, it is not unlikely that amisbehaving UE would recalculate and resubmit its SUCI causing the sameissue to occur multiple times. Another consequence is that a fraudulentor misbehaving UE could send an invalid SUCI on purpose to harm the 5Gnetwork in general. This would waste the resources of the network whichpossibly leads to valid UEs being denied service. Yet anotherconsequence is that a fraudulent or misbehaving UE that is colludingwith the HN has a free one-way communication channel from the UE to theHN. While it is unlikely that an UE and HN are colluding in this waysuch attacks cannot be completely ruled out.

In the following, there is described a method invention which mitigatesthe above mentioned problems.

It is noted that the size of the SUCI resulting from the output of anencryption scheme (denoted encryption scheme output) has a predictablesize. For example, when an encryption scheme, such as the abovementioned ECIES, uses a 256-bit elliptic curve with point compression,the size of the UE's ephemeral public key would be 256 bits; signindication if any would be 1 bit; encrypted output of the SUPI would be60 bits. This means that the total size of the SUCI resulting from theoutput of any this encryption scheme would be in the order of 320 bits.Similarly, when a RSA encryption scheme is used, the SUCI could be inthe order of 2100 bits.

The methods described here use the above mentioned predictability ofsize of the encryption scheme output to determine the validity of theSUCI. Further explanation follows.

It is our teaching that standardized encryption schemes could havestandardized maximum size limitation of encryption scheme output alongwith the standardized encryption scheme identifier. Then, networkfunctions (in RAN, SN, and HN) such as the gNB, SEAF or UDM could rejectSUCIs of size larger the maximum size limitation. Similarly, it is alsoour teaching that proprietary encryption schemes would similarly haveproprietary maximum size limitation of encryption scheme output alongwith the proprietary encryption scheme identifier. This proprietarymaximum size limitation of encryption scheme output could be madeavailable to the network functions in the HN as well as the SN. The SNcould be informed of the size limitation either by additional signalingbetween the HN and SN or for example through separate operation andmaintenance functions as a part of the roaming agreement (for roamed orvisited networks). We also teach that each network function could alsouse its own local or a system wide maximum size limitation so that anyproprietary scheme does not exploit the network. As an example of alocal size limitation, one part of the network, for example the AMFnetwork node may have a different expected size from another networknode such as the AUSF node. To avoid that UEs unintentionally attempt touse proprietary SUCIs longer than the local or system wide limitationsset by the SN, such size limitations could be broadcasted over-the-airin system broadcast message or made known to UE in some other protocolmessages, such as a Random Access Response (RAR) message.

Further, it is our teaching that there could also be one overallworldwide standardized maximum size applicable for all standardized orproprietary schemes. That maximum size could for example be setaccording to the transport block size of radio channel.

A person skilled-in-the-art will appreciate that our teachings do notlimit other types of size limitations than the maximum type. One exampleis that, there could also be a similar limitation on minimum size, sothat the network functions can reject SUCIs smaller in size than thatminimum size. Another example is that there could be an estimated sizeand allowed deviation. For example, an estimated size could be 500 bitsand allowed deviation could be plus or minus 100. The network functionswould then reject any SUCI longer than 600 bits or shorter than 400bits. Further, there could also be customizable granularity of sizelimitations based on other aspects or information, such as the time (forexample a stricter size restriction could be applied at specific timeswhen the network is busy, such as during office hours); the location(for example applying a stricter size restriction near sensitive sitessuch as a parliament building); the network load (for example applying astricter size restriction when the network is under particular load);the network type (for example, applying a stricter size restriction ifthe network is from a poor vendor); operator information (for exampleapplying separate size restrictions based on the PLMN id); or roamingpartner information (for example applying stricter size restriction fordevices from particular countries).

FIG. 2 is an example flowchart, showing a method of SUCI validation innetwork functions using maximum and minimum sizes.

A network function that receives a SUCI could start, as shown at step202, when receiving a message that contains a SUCI, by verifying that ingeneral a valid encryption scheme identifier has been used, ifapplicable. For example, it could be a part of protocol parsing wherealphabet characters (a-z) are considered invalid for numeric field(0-9). The receiver network could reject generally invalid SUCIs. If itis found that the encryption scheme identifier appears generally valid,the process passes to step 204, in which the network function furtherchecks the encryption scheme identifier and determines whether aproprietary scheme is used or if a standardized scheme is used. Then,the network function forks off accordingly.

If the encryption scheme identifier indicates that a proprietary schemeis not used, the network function determines an expected size of theSUCI contained in the received message. This expected size will be knownbased on the standardized encryption scheme that is being used. Forexample, in certain standardized schemes, the expected size of the SUCImay be equal to the size of the input, or may be equal to the size ofthe input plus a size of a public key, or may be equal to a size of theinput plus a size of a public key, plus a size of an associated MessageAuthentication Code. The network function then determines one or morecriteria associated with the expected size. For example, the networkfunction may determine a maximum size criterion (for example greaterthan or equal to the expected size), or a minimum size criterion (forexample smaller than or equal to the expected size), or maximum andminimum sizes defining a size range criterion (for example encompassingthe expected size). The network function then checks whether or not thereceived SUCI complies with any corresponding limits. In FIG. 2 ,examples of these limits are minimum and maximum lengths for SUCI. Thus,the process first passes to step 206, in which it is determined whetherthe SUCI is longer than a maximum length. If so, the process passes tostep 208, and the SUCI is rejected. If the SUCI is not longer than amaximum length, the process passes to step 210, in which it isdetermined whether the SUCI is shorter than a minimum length. If so, theprocess passes to step 208, and the SUCI is rejected. If the SUCI is notshorter than the minimum length, the process passes to step 212, and theSUCI is accepted or processed.

If the encryption scheme identifier indicates in step 204 that aproprietary scheme is used, the network function determines an expectedsize of the SUCI contained in the received message, based on theencryption scheme. The network function then determines one or morecriteria associated with the expected size. For example, the networkfunction may determine a maximum size criterion (for example greaterthan or equal to the expected size), or a minimum size criterion (forexample smaller than or equal to the expected size), or maximum andminimum sizes defining a size range criterion (for example encompassingthe expected size). In addition, an overall maximum size may be set,such that this maximum size will apply regardless of the encryptionscheme that is used. The network function then checks whether or not thereceived SUCI complies with any corresponding limits. In FIG. 2 ,examples of these limits are minimum and maximum lengths for SUCI. Thus,the process passes to step 214, in which it is determined whether theSUCI is longer than a maximum length allowed by the network function. Ifso, the process passes to step 208, and the SUCI is rejected. If theSUCI is not longer than the maximum length, the process passes to step216, in which it is determined whether the SUCI is shorter than aminimum length. If so, the process passes to step 208, and the SUCI isrejected. If the SUCI is not shorter than the minimum length, theprocess passes to step 212, and SUCI is accepted or processed.

In this figure, the consequence of determining that the SUCI does notmeet the specified criterion is said to be that the SUCI is rejected.This means that some action is taken, rather than normal processing ofthe message including the SUCI. More specifically, one possibility isthat the invalid SUCI will not be decrypted by the network. Anotherpossibility is no further processing is done, and instead some errormessage will be returned, e.g., authentication-failure orsubscription-unknown or invalid-SUCI. Other possible actions arelogging, informing other nodes, re-provisioning the UE, paging the UE,and trying to decrypt SUCI anyway using some other heuristics. Anotheroption is to just drop invalid messages with no information provided tothe nodes sending invalid messages.

Thus, the figure shows the examples of these limits corresponding toencryption scheme or the network function itself. Note that when astandardized encryption scheme is used, it is not preferable for thenetwork function to have any kind of limit that results in rejection ofSUCIs that are within the standardized limits for the given encryptionscheme. However, for proprietary schemes the network might have theirown configuration of allowed lengths.

It should be appreciated that our teachings enable network function todetermine validity of SUCIs and take corresponding actions, likeproceeding with processing of SUCI or rejecting SUCIs. Mind that ourteachings do not require network functions to perform actual decryptionof the received SUCIs. This makes our teachings very efficient in theterms of computation. Further, receiver network functions would be ableto verify validity of SUCI very early, for example by the networkfunctions in RAN (e.g., gNB), SN (e.g., SEAF) and can early rejectinvalid SUCIs. This further increases efficiency in the sense of networkmessaging overhead and resource allocation. Additionally, our teachingsdoes not have risk of rejecting valid SUCIs because valid SUCIs wouldcomply with the size limitation. In other words, there is no chance offalse negatives, which in turn makes the method very effective.

A similar process to that described above can be performed by thewireless device, when calculating a subscription concealed identifier,SUCI. Specifically, the wireless device may (in advance) receive amessage indicating a criterion associated with a size of a SUCI. Whenwishing to communicate with the network, the wireless device maycalculate the SUCI based on an encryption scheme. The wireless devicemay then determine whether the calculated SUCI satisfies the criterionassociated with the size of the SUCI. The wireless device may then usethe calculated SUCI only if it is determined that it satisfies thecriterion associated with the size of the SUCI.

For example, the wireless device may receive the message indicating thecriterion associated with the size of a SUCI in a broadcast message orin a protocol message sent specifically to the wireless device.

The criterion associated with the size of the SUCI may comprise amaximum size, a minimum size, or a size range. The maximum size may beset based on the scheme used for calculating the SUCI.

This allows the wireless device to carry out a check before transmittingthe SUCI to the network. If the wireless device determines that thecalculated SUCI does not satisfy the criterion associated with the sizeof the SUCI (that is, for example, if the size of the SUCI exceeds amaximum size), in certain embodiments the wireless device does not sendthe calculated SUCI to the network. For example, if the wireless devicefinds out that the generated SUCI is large, then it can recalculate SUCIbecause there was some intermediate bug. The ME could also try otherencryption schemes if there is a choice. The wireless device could alsoinform its vendor or some network node via WIFI. The wireless devicecould also try to connect via 4G or 3G or 2G where this encryption isnot used. Then the wireless device could inform vendor or some networknode via 4G or 3G or 2G.

FIG. 3 illustrates a wireless network in accordance with someembodiments.

Although the subject matter described herein may be implemented in anyappropriate type of system using any suitable components, theembodiments disclosed herein are described in relation to a wirelessnetwork, such as the example wireless network illustrated in FIG. 3 .For simplicity, the wireless network of FIG. 3 only depicts network 306,network nodes 360 and 360 b, and WDs 310, 310 b, and 310 c. In practice,a wireless network may further include any additional elements suitableto support communication between wireless devices or between a wirelessdevice and another communication device, such as a landline telephone, aservice provider, or any other network node or end device. Of theillustrated components, network node 360 and wireless device (WD) 310are depicted with additional detail. The wireless network may providecommunication and other types of services to one or more wirelessdevices to facilitate the wireless devices' access to and/or use of theservices provided by, or via, the wireless network.

The wireless network may comprise and/or interface with any type ofcommunication, telecommunication, data, cellular, and/or radio networkor other similar type of system. In some embodiments, the wirelessnetwork may be configured to operate according to specific standards orother types of predefined rules or procedures. Thus, particularembodiments of the wireless network may implement communicationstandards, such as Global System for Mobile Communications (GSM),Universal Mobile Telecommunications System (UMTS), Long Term Evolution(LTE), and/or other suitable 2G, 3G, 4G, or 5G standards; wireless localarea network (WLAN) standards, such as the IEEE 802.11 standards; and/orany other appropriate wireless communication standard, such as theWorldwide Interoperability for Microwave Access (WiMAX), Bluetooth,Z-Wave and/or ZigBee standards.

Network 306 may comprise one or more backhaul networks, core networks,IP networks, public switched telephone networks (PSTNs), packet datanetworks, optical networks, wide-area networks (WANs), local areanetworks (LANs), wireless local area networks (WLANs), wired networks,wireless networks, metropolitan area networks, and other networks toenable communication between devices.

Network node 360 and WD 310 comprise various components described inmore detail below. These components work together in order to providenetwork node and/or wireless device functionality, such as providingwireless connections in a wireless network. In different embodiments,the wireless network may comprise any number of wired or wirelessnetworks, network nodes, base stations, controllers, wireless devices,relay stations, and/or any other components or systems that mayfacilitate or participate in the communication of data and/or signalswhether via wired or wireless connections.

As used herein, network node refers to equipment capable, configured,arranged and/or operable to communicate directly or indirectly with awireless device and/or with other network nodes or equipment in thewireless network to enable and/or provide wireless access to thewireless device and/or to perform other functions (e.g., administration)in the wireless network. Examples of network nodes include, but are notlimited to, access points (APs) (e.g., radio access points), basestations (BSs) (e.g., radio base stations, Node Bs, evolved Node Bs(eNBs) and NR NodeBs (gNBs)). Base stations may be categorized based onthe amount of coverage they provide (or, stated differently, theirtransmit power level) and may then also be referred to as femto basestations, pico base stations, micro base stations, or macro basestations. A base station may be a relay node or a relay donor nodecontrolling a relay. A network node may also include one or more (orall) parts of a distributed radio base station such as centralizeddigital units and/or remote radio units (RRUs), sometimes referred to asRemote Radio Heads (RRHs). Such remote radio units may or may not beintegrated with an antenna as an antenna integrated radio. Parts of adistributed radio base station may also be referred to as nodes in adistributed antenna system (DAS). Yet further examples of network nodesinclude multi-standard radio (MSR) equipment such as MSR BSs, networkcontrollers such as radio network controllers (RNCs) or base stationcontrollers (BSCs), base transceiver stations (BTSs), transmissionpoints, transmission nodes, multi-cell/multicast coordination entities(MCEs), core network nodes (e.g., MSCs, MMEs), O&M nodes, OSS nodes, SONnodes, positioning nodes (e.g., E-SMLCs), and/or MDTs. As anotherexample, a network node may be a virtual network node as described inmore detail below. More generally, however, network nodes may representany suitable device (or group of devices) capable, configured, arranged,and/or operable to enable and/or provide a wireless device with accessto the wireless network or to provide some service to a wireless devicethat has accessed the wireless network.

In FIG. 3 , network node 360 includes processing circuitry 370, devicereadable medium 380, interface 390, auxiliary equipment 384, powersource 386, power circuitry 387, and antenna 362. Although network node360 illustrated in the example wireless network of FIG. 3 may representa device that includes the illustrated combination of hardwarecomponents, other embodiments may comprise network nodes with differentcombinations of components. It is to be understood that a network nodecomprises any suitable combination of hardware and/or software needed toperform the tasks, features, functions and methods disclosed herein.Moreover, while the components of network node 360 are depicted assingle boxes located within a larger box, or nested within multipleboxes, in practice, a network node may comprise multiple differentphysical components that make up a single illustrated component (e.g.,device readable medium 380 may comprise multiple separate hard drives aswell as multiple RAM modules).

For example, the illustrated network node 360 is a radio access networknode. However, the methods described herein may be used in any networknode or network function, including, by way of example only, and withoutany limitation, core network nodes such as an Access and MobilityManagement Function (AMF) or Security Anchor Function (SEAF); anAuthentication Server Function (AUSF); or a Unified Data Management(UDM) or Subscription Identifier De-concealing Function (SIDF) function.In the case of such core network nodes, the respective network node mayinclude any or all of the components shown in FIG. 3 , but may notinclude the wireless communication functionality shown in the Figure.

Similarly, network node 360 may be composed of multiple physicallyseparate components (e.g., a NodeB component and a RNC component, or aBTS component and a BSC component, etc.), which may each have their ownrespective components. In certain scenarios in which network node 360comprises multiple separate components (e.g., BTS and BSC components),one or more of the separate components may be shared among severalnetwork nodes. For example, a single RNC may control multiple NodeB's.In such a scenario, each unique NodeB and RNC pair, may in someinstances be considered a single separate network node. In someembodiments, network node 360 may be configured to support multipleradio access technologies (RATs). In such embodiments, some componentsmay be duplicated (e.g., separate device readable medium 380 for thedifferent RATs) and some components may be reused (e.g., the sameantenna 362 may be shared by the RATs). Network node 360 may alsoinclude multiple sets of the various illustrated components fordifferent wireless technologies integrated into network node 360, suchas, for example, GSM, WCDMA, LTE, NR, WiFi, or Bluetooth wirelesstechnologies. These wireless technologies may be integrated into thesame or different chip or set of chips and other components withinnetwork node 360.

Processing circuitry 370 is configured to perform any determining,calculating, or similar operations (e.g., certain obtaining operations)described herein as being provided by a network node. These operationsperformed by processing circuitry 370 may include processing informationobtained by processing circuitry 370 by, for example, converting theobtained information into other information, comparing the obtainedinformation or converted information to information stored in thenetwork node, and/or performing one or more operations based on theobtained information or converted information, and as a result of saidprocessing making a determination.

Processing circuitry 370 may comprise a combination of one or more of amicroprocessor, controller, microcontroller, central processing unit,digital signal processor, application-specific integrated circuit, fieldprogrammable gate array, or any other suitable computing device,resource, or combination of hardware, software and/or encoded logicoperable to provide, either alone or in conjunction with other networknode 360 components, such as device readable medium 380, network node360 functionality. For example, processing circuitry 370 may executeinstructions stored in device readable medium 380 or in memory withinprocessing circuitry 370. Such functionality may include providing anyof the various wireless features, functions, or benefits discussedherein. In some embodiments, processing circuitry 370 may include asystem on a chip (SOC).

In some embodiments, processing circuitry 370 may include one or more ofradio frequency (RF) transceiver circuitry 372 and baseband processingcircuitry 374. In some embodiments, radio frequency (RF) transceivercircuitry 372 and baseband processing circuitry 374 may be on separatechips (or sets of chips), boards, or units, such as radio units anddigital units. In alternative embodiments, part or all of RF transceivercircuitry 372 and baseband processing circuitry 374 may be on the samechip or set of chips, boards, or units

In certain embodiments, some or all of the functionality describedherein as being provided by a network node, base station, eNB or othersuch network device may be performed by processing circuitry 370executing instructions stored on device readable medium 380 or memorywithin processing circuitry 370. In alternative embodiments, some or allof the functionality may be provided by processing circuitry 370 withoutexecuting instructions stored on a separate or discrete device readablemedium, such as in a hard-wired manner. In any of those embodiments,whether executing instructions stored on a device readable storagemedium or not, processing circuitry 370 can be configured to perform thedescribed functionality. The benefits provided by such functionality arenot limited to processing circuitry 370 alone or to other components ofnetwork node 360, but are enjoyed by network node 360 as a whole, and/orby end users and the wireless network generally.

Device readable medium 380 may comprise any form of volatile ornon-volatile computer readable memory including, without limitation,persistent storage, solid-state memory, remotely mounted memory,magnetic media, optical media, random access memory (RAM), read-onlymemory (ROM), mass storage media (for example, a hard disk), removablestorage media (for example, a flash drive, a Compact Disk (CD) or aDigital Video Disk (DVD)), and/or any other volatile or non-volatile,non-transitory device readable and/or computer-executable memory devicesthat store information, data, and/or instructions that may be used byprocessing circuitry 370. Device readable medium 380 may store anysuitable instructions, data or information, including a computerprogram, software, an application including one or more of logic, rules,code, tables, etc. and/or other instructions capable of being executedby processing circuitry 370 and, utilized by network node 360. Devicereadable medium 380 may be used to store any calculations made byprocessing circuitry 370 and/or any data received via interface 390. Insome embodiments, processing circuitry 370 and device readable medium380 may be considered to be integrated.

Interface 390 is used in the wired or wireless communication ofsignaling and/or data between network node 360, network 306, and/or WDs310. As illustrated, interface 390 comprises port(s)/terminal(s) 394 tosend and receive data, for example to and from network 306 over a wiredconnection. Interface 390 also includes radio front end circuitry 392that may be coupled to, or in certain embodiments a part of, antenna362. Radio front end circuitry 392 comprises filters 398 and amplifiers396. Radio front end circuitry 392 may be connected to antenna 362 andprocessing circuitry 370. Radio front end circuitry may be configured tocondition signals communicated between antenna 362 and processingcircuitry 370. Radio front end circuitry 392 may receive digital datathat is to be sent out to other network nodes or WDs via a wirelessconnection. Radio front end circuitry 392 may convert the digital datainto a radio signal having the appropriate channel and bandwidthparameters using a combination of filters 398 and/or amplifiers 396. Theradio signal may then be transmitted via antenna 362. Similarly, whenreceiving data, antenna 362 may collect radio signals which are thenconverted into digital data by radio front end circuitry 392. Thedigital data may be passed to processing circuitry 370. In otherembodiments, the interface may comprise different components and/ordifferent combinations of components.

In certain alternative embodiments, network node 360 may not includeseparate radio front end circuitry 392, instead, processing circuitry370 may comprise radio front end circuitry and may be connected toantenna 362 without separate radio front end circuitry 392. Similarly,in some embodiments, all or some of RF transceiver circuitry 372 may beconsidered a part of interface 390. In still other embodiments,interface 390 may include one or more ports or terminals 394, radiofront end circuitry 392, and RF transceiver circuitry 372, as part of aradio unit (not shown), and interface 390 may communicate with basebandprocessing circuitry 374, which is part of a digital unit (not shown).

Antenna 362 may include one or more antennas, or antenna arrays,configured to send and/or receive wireless signals. Antenna 362 may becoupled to radio front end circuitry 390 and may be any type of antennacapable of transmitting and receiving data and/or signals wirelessly. Insome embodiments, antenna 362 may comprise one or more omni-directional,sector or panel antennas operable to transmit/receive radio signalsbetween, for example, 2 GHz and 66 GHz. An omni-directional antenna maybe used to transmit/receive radio signals in any direction, a sectorantenna may be used to transmit/receive radio signals from deviceswithin a particular area, and a panel antenna may be a line of sightantenna used to transmit/receive radio signals in a relatively straightline. In some instances, the use of more than one antenna may bereferred to as MIMO. In certain embodiments, antenna 362 may be separatefrom network node 360 and may be connectable to network node 360 throughan interface or port.

Antenna 362, interface 390, and/or processing circuitry 370 may beconfigured to perform any receiving operations and/or certain obtainingoperations described herein as being performed by a network node. Anyinformation, data and/or signals may be received from a wireless device,another network node and/or any other network equipment. Similarly,antenna 362, interface 390, and/or processing circuitry 370 may beconfigured to perform any transmitting operations described herein asbeing performed by a network node. Any information, data and/or signalsmay be transmitted to a wireless device, another network node and/or anyother network equipment.

Power circuitry 387 may comprise, or be coupled to, power managementcircuitry and is configured to supply the components of network node 360with power for performing the functionality described herein. Powercircuitry 387 may receive power from power source 386. Power source 386and/or power circuitry 387 may be configured to provide power to thevarious components of network node 360 in a form suitable for therespective components (e.g., at a voltage and current level needed foreach respective component). Power source 386 may either be included in,or external to, power circuitry 387 and/or network node 360. Forexample, network node 360 may be connectable to an external power source(e.g., an electricity outlet) via an input circuitry or interface suchas an electrical cable, whereby the external power source supplies powerto power circuitry 387. As a further example, power source 386 maycomprise a source of power in the form of a battery or battery packwhich is connected to, or integrated in, power circuitry 387. Thebattery may provide backup power should the external power source fail.Other types of power sources, such as photovoltaic devices, may also beused.

Alternative embodiments of network node 360 may include additionalcomponents beyond those shown in FIG. 3 that may be responsible forproviding certain aspects of the network node's functionality, includingany of the functionality described herein and/or any functionalitynecessary to support the subject matter described herein. For example,network node 360 may include user interface equipment to allow input ofinformation into network node 360 and to allow output of informationfrom network node 360. This may allow a user to perform diagnostic,maintenance, repair, and other administrative functions for network node360.

As used herein, wireless device (WD) refers to a device capable,configured, arranged and/or operable to communicate wirelessly withnetwork nodes and/or other wireless devices. Unless otherwise noted, theterm WD may be used interchangeably herein with user equipment (UE).Communicating wirelessly may involve transmitting and/or receivingwireless signals using electromagnetic waves, radio waves, infraredwaves, and/or other types of signals suitable for conveying informationthrough air. In some embodiments, a WD may be configured to transmitand/or receive information without direct human interaction. Forinstance, a WD may be designed to transmit information to a network on apredetermined schedule, when triggered by an internal or external event,or in response to requests from the network. Examples of a WD include,but are not limited to, a smart phone, a mobile phone, a cell phone, avoice over IP (VoIP) phone, a wireless local loop phone, a desktopcomputer, a personal digital assistant (PDA), a wireless cameras, agaming console or device, a music storage device, a playback appliance,a wearable terminal device, a wireless endpoint, a mobile station, atablet, a laptop, a laptop-embedded equipment (LEE), a laptop-mountedequipment (LME), a smart device, a wireless customer-premise equipment(CPE). a vehicle-mounted wireless terminal device, etc. A WD may supportdevice-to-device (D2D) communication, for example by implementing a 3GPPstandard for sidelink communication, vehicle-to-vehicle (V2V),vehicle-to-infrastructure (V2I), vehicle-to-everything (V2X) and may inthis case be referred to as a D2D communication device. As yet anotherspecific example, in an Internet of Things (IoT) scenario, a WD mayrepresent a machine or other device that performs monitoring and/ormeasurements, and transmits the results of such monitoring and/ormeasurements to another WD and/or a network node. The WD may in thiscase be a machine-to-machine (M2M) device, which may in a 3GPP contextbe referred to as an MTC device. As one particular example, the WD maybe a UE implementing the 3GPP narrow band internet of things (NB-IoT)standard. Particular examples of such machines or devices are sensors,metering devices such as power meters, industrial machinery, or home orpersonal appliances (e.g. refrigerators, televisions, etc.) personalwearables (e.g., watches, fitness trackers, etc.). In other scenarios, aWD may represent a vehicle or other equipment that is capable ofmonitoring and/or reporting on its operational status or other functionsassociated with its operation. A WD as described above may represent theendpoint of a wireless connection, in which case the device may bereferred to as a wireless terminal. Furthermore, a WD as described abovemay be mobile, in which case it may also be referred to as a mobiledevice or a mobile terminal.

As illustrated, wireless device 310 includes antenna 311, interface 314,processing circuitry 320, device readable medium 330, user interfaceequipment 332, auxiliary equipment 334, power source 336 and powercircuitry 337. WD 310 may include multiple sets of one or more of theillustrated components for different wireless technologies supported byWD 310, such as, for example, GSM, WCDMA, LTE, NR, WiFi, WiMAX, orBluetooth wireless technologies, just to mention a few. These wirelesstechnologies may be integrated into the same or different chips or setof chips as other components within WD 310.

Antenna 311 may include one or more antennas or antenna arrays,configured to send and/or receive wireless signals, and is connected tointerface 314. In certain alternative embodiments, antenna 311 may beseparate from WD 310 and be connectable to WD 310 through an interfaceor port. Antenna 311, interface 314, and/or processing circuitry 320 maybe configured to perform any receiving or transmitting operationsdescribed herein as being performed by a WD. Any information, dataand/or signals may be received from a network node and/or another WD. Insome embodiments, radio front end circuitry and/or antenna 311 may beconsidered an interface.

As illustrated, interface 314 comprises radio front end circuitry 312and antenna 311. Radio front end circuitry 312 comprise one or morefilters 318 and amplifiers 316. Radio front end circuitry 314 isconnected to antenna 311 and processing circuitry 320, and is configuredto condition signals communicated between antenna 311 and processingcircuitry 320. Radio front end circuitry 312 may be coupled to or a partof antenna 311. In some embodiments, WD 310 may not include separateradio front end circuitry 312; rather, processing circuitry 320 maycomprise radio front end circuitry and may be connected to antenna 311.Similarly, in some embodiments, some or all of RF transceiver circuitry322 may be considered a part of interface 314. Radio front end circuitry312 may receive digital data that is to be sent out to other networknodes or WDs via a wireless connection. Radio front end circuitry 312may convert the digital data into a radio signal having the appropriatechannel and bandwidth parameters using a combination of filters 318and/or amplifiers 316. The radio signal may then be transmitted viaantenna 311. Similarly, when receiving data, antenna 311 may collectradio signals which are then converted into digital data by radio frontend circuitry 312. The digital data may be passed to processingcircuitry 320. In other embodiments, the interface may comprisedifferent components and/or different combinations of components.

Processing circuitry 320 may comprise a combination of one or more of amicroprocessor, controller, microcontroller, central processing unit,digital signal processor, application-specific integrated circuit, fieldprogrammable gate array, or any other suitable computing device,resource, or combination of hardware, software, and/or encoded logicoperable to provide, either alone or in conjunction with other WD 310components, such as device readable medium 330, WD 310 functionality.Such functionality may include providing any of the various wirelessfeatures or benefits discussed herein. For example, processing circuitry320 may execute instructions stored in device readable medium 330 or inmemory within processing circuitry 320 to provide the functionalitydisclosed herein.

As illustrated, processing circuitry 320 includes one or more of RFtransceiver circuitry 322, baseband processing circuitry 324, andapplication processing circuitry 326. In other embodiments, theprocessing circuitry may comprise different components and/or differentcombinations of components. In certain embodiments processing circuitry320 of WD 310 may comprise a SOC. In some embodiments, RF transceivercircuitry 322, baseband processing circuitry 324, and applicationprocessing circuitry 326 may be on separate chips or sets of chips. Inalternative embodiments, part or all of baseband processing circuitry324 and application processing circuitry 326 may be combined into onechip or set of chips, and RF transceiver circuitry 322 may be on aseparate chip or set of chips. In still alternative embodiments, part orall of RF transceiver circuitry 322 and baseband processing circuitry324 may be on the same chip or set of chips, and application processingcircuitry 326 may be on a separate chip or set of chips. In yet otheralternative embodiments, part or all of RF transceiver circuitry 322,baseband processing circuitry 324, and application processing circuitry326 may be combined in the same chip or set of chips. In someembodiments, RF transceiver circuitry 322 may be a part of interface314. RF transceiver circuitry 322 may condition RF signals forprocessing circuitry 320.

In certain embodiments, some or all of the functionality describedherein as being performed by a WD may be provided by processingcircuitry 320 executing instructions stored on device readable medium330, which in certain embodiments may be a computer-readable storagemedium. In alternative embodiments, some or all of the functionality maybe provided by processing circuitry 320 without executing instructionsstored on a separate or discrete device readable storage medium, such asin a hard-wired manner. In any of those particular embodiments, whetherexecuting instructions stored on a device readable storage medium ornot, processing circuitry 320 can be configured to perform the describedfunctionality. The benefits provided by such functionality are notlimited to processing circuitry 320 alone or to other components of WD310, but are enjoyed by WD 310 as a whole, and/or by end users and thewireless network generally.

Processing circuitry 320 may be configured to perform any determining,calculating, or similar operations (e.g., certain obtaining operations)described herein as being performed by a WD. These operations, asperformed by processing circuitry 320, may include processinginformation obtained by processing circuitry 320 by, for example,converting the obtained information into other information, comparingthe obtained information or converted information to information storedby WD 310, and/or performing one or more operations based on theobtained information or converted information, and as a result of saidprocessing making a determination.

Device readable medium 330 may be operable to store a computer program,software, an application including one or more of logic, rules, code,tables, etc. and/or other instructions capable of being executed byprocessing circuitry 320. Device readable medium 330 may includecomputer memory (e.g., Random Access Memory (RAM) or Read Only Memory(ROM)), mass storage media (e.g., a hard disk), removable storage media(e.g., a Compact Disk (CD) or a Digital Video Disk (DVD)), and/or anyother volatile or non-volatile, non-transitory device readable and/orcomputer executable memory devices that store information, data, and/orinstructions that may be used by processing circuitry 320. In someembodiments, processing circuitry 320 and device readable medium 330 maybe considered to be integrated.

User interface equipment 332 may provide components that allow for ahuman user to interact with WD 310. Such interaction may be of manyforms, such as visual, audial, tactile, etc. User interface equipment332 may be operable to produce output to the user and to allow the userto provide input to WD 310. The type of interaction may vary dependingon the type of user interface equipment 332 installed in WD 310. Forexample, if WD 310 is a smart phone, the interaction may be via a touchscreen; if WD 310 is a smart meter, the interaction may be through ascreen that provides usage (e.g., the number of gallons used) or aspeaker that provides an audible alert (e.g., if smoke is detected).User interface equipment 332 may include input interfaces, devices andcircuits, and output interfaces, devices and circuits. User interfaceequipment 332 is configured to allow input of information into WD 310,and is connected to processing circuitry 320 to allow processingcircuitry 320 to process the input information. User interface equipment332 may include, for example, a microphone, a proximity or other sensor,keys/buttons, a touch display, one or more cameras, a USB port, or otherinput circuitry. User interface equipment 332 is also configured toallow output of information from WD 310, and to allow processingcircuitry 320 to output information from WD 310. User interfaceequipment 332 may include, for example, a speaker, a display, vibratingcircuitry, a USB port, a headphone interface, or other output circuitry.Using one or more input and output interfaces, devices, and circuits, ofuser interface equipment 332, WD 310 may communicate with end usersand/or the wireless network, and allow them to benefit from thefunctionality described herein.

Auxiliary equipment 334 is operable to provide more specificfunctionality which may not be generally performed by WDs. This maycomprise specialized sensors for doing measurements for variouspurposes, interfaces for additional types of communication such as wiredcommunications etc. The inclusion and type of components of auxiliaryequipment 334 may vary depending on the embodiment and/or scenario.

Power source 336 may, in some embodiments, be in the form of a batteryor battery pack. Other types of power sources, such as an external powersource (e.g., an electricity outlet), photovoltaic devices or powercells, may also be used. WD 310 may further comprise power circuitry 337for delivering power from power source 336 to the various parts of WD310 which need power from power source 336 to carry out anyfunctionality described or indicated herein. Power circuitry 337 may incertain embodiments comprise power management circuitry. Power circuitry337 may additionally or alternatively be operable to receive power froman external power source; in which case WD 310 may be connectable to theexternal power source (such as an electricity outlet) via inputcircuitry or an interface such as an electrical power cable. Powercircuitry 337 may also in certain embodiments be operable to deliverpower from an external power source to power source 336. This may be,for example, for the charging of power source 336. Power circuitry 337may perform any formatting, converting, or other modification to thepower from power source 336 to make the power suitable for therespective components of WD 310 to which power is supplied.

FIG. 4 illustrates one embodiment of a UE in accordance with variousaspects described herein. As used herein, a user equipment or UE may notnecessarily have a user in the sense of a human user who owns and/oroperates the relevant device. Instead, a UE may represent a device thatis intended for sale to, or operation by, a human user but which maynot, or which may not initially, be associated with a specific humanuser (e.g., a smart sprinkler controller). Alternatively, a UE mayrepresent a device that is not intended for sale to, or operation by, anend user but which may be associated with or operated for the benefit ofa user (e.g., a smart power meter). UE 400 may be any UE identified bythe 3rd Generation Partnership Project (3GPP), including a NB-IoT UE, amachine type communication (MTC) UE, and/or an enhanced MTC (eMTC) UE.UE 400, as illustrated in FIG. 4 , is one example of a WD configured forcommunication in accordance with one or more communication standardspromulgated by the 3rd Generation Partnership Project (3GPP), such as3GPP's GSM, UMTS, LTE, and/or 5G standards. As mentioned previously, theterm WD and UE may be used interchangeable. Accordingly, although FIG. 4is a UE, the components discussed herein are equally applicable to a WD,and vice-versa.

In FIG. 4 , UE 400 includes processing circuitry 401 that is operativelycoupled to input/output interface 405, radio frequency (RF) interface409, network connection interface 411, memory 415 including randomaccess memory (RAM) 417, read-only memory (ROM) 419, and storage medium421 or the like, communication subsystem 431, power source 433, and/orany other component, or any combination thereof. Storage medium 421includes operating system 423, application program 425, and data 427. Inother embodiments, storage medium 421 may include other similar types ofinformation. Certain UEs may utilize all of the components shown in FIG.4 , or only a subset of the components. The level of integration betweenthe components may vary from one UE to another UE. Further, certain UEsmay contain multiple instances of a component, such as multipleprocessors, memories, transceivers, transmitters, receivers, etc.

In FIG. 4 , processing circuitry 401 may be configured to processcomputer instructions and data. Processing circuitry 401 may beconfigured to implement any sequential state machine operative toexecute machine instructions stored as machine-readable computerprograms in the memory, such as one or more hardware-implemented statemachines (e.g., in discrete logic, FPGA, ASIC, etc.); programmable logictogether with appropriate firmware; one or more stored program,general-purpose processors, such as a microprocessor or Digital SignalProcessor (DSP), together with appropriate software; or any combinationof the above. For example, the processing circuitry 401 may include twocentral processing units (CPUs). Data may be information in a formsuitable for use by a computer.

In the depicted embodiment, input/output interface 405 may be configuredto provide a communication interface to an input device, output device,or input and output device. UE 400 may be configured to use an outputdevice via input/output interface 405. An output device may use the sametype of interface port as an input device. For example, a USB port maybe used to provide input to and output from UE 400. The output devicemay be a speaker, a sound card, a video card, a display, a monitor, aprinter, an actuator, an emitter, a smartcard, another output device, orany combination thereof. UE 400 may be configured to use an input devicevia input/output interface 405 to allow a user to capture informationinto UE 400. The input device may include a touch-sensitive orpresence-sensitive display, a camera (e.g., a digital camera, a digitalvideo camera, a web camera, etc.), a microphone, a sensor, a mouse, atrackball, a directional pad, a trackpad, a scroll wheel, a smartcard,and the like. The presence-sensitive display may include a capacitive orresistive touch sensor to sense input from a user. A sensor may be, forinstance, an accelerometer, a gyroscope, a tilt sensor, a force sensor,a magnetometer, an optical sensor, a proximity sensor, another likesensor, or any combination thereof. For example, the input device may bean accelerometer, a magnetometer, a digital camera, a microphone, and anoptical sensor.

In FIG. 4 , RF interface 409 may be configured to provide acommunication interface to RF components such as a transmitter, areceiver, and an antenna. Network connection interface 411 may beconfigured to provide a communication interface to network 443 a.Network 443 a may encompass wired and/or wireless networks such as alocal-area network (LAN), a wide-area network (WAN), a computer network,a wireless network, a telecommunications network, another like networkor any combination thereof. For example, network 443 a may comprise aWi-Fi network. Network connection interface 411 may be configured toinclude a receiver and a transmitter interface used to communicate withone or more other devices over a communication network according to oneor more communication protocols, such as Ethernet, TCP/IP, SONET, ATM,or the like. Network connection interface 411 may implement receiver andtransmitter functionality appropriate to the communication network links(e.g., optical, electrical, and the like). The transmitter and receiverfunctions may share circuit components, software or firmware, oralternatively may be implemented separately.

RAM 417 may be configured to interface via bus 402 to processingcircuitry 401 to provide storage or caching of data or computerinstructions during the execution of software programs such as theoperating system, application programs, and device drivers. ROM 419 maybe configured to provide computer instructions or data to processingcircuitry 401. For example, ROM 419 may be configured to store invariantlow-level system code or data for basic system functions such as basicinput and output (I/O), startup, or reception of keystrokes from akeyboard that are stored in a non-volatile memory. Storage medium 421may be configured to include memory such as RAM, ROM, programmableread-only memory (PROM), erasable programmable read-only memory (EPROM),electrically erasable programmable read-only memory (EEPROM), magneticdisks, optical disks, floppy disks, hard disks, removable cartridges, orflash drives. In one example, storage medium 421 may be configured toinclude operating system 423, application program 425 such as a webbrowser application, a widget or gadget engine or another application,and data file 427. Storage medium 421 may store, for use by UE 400, anyof a variety of various operating systems or combinations of operatingsystems.

Storage medium 421 may be configured to include a number of physicaldrive units, such as redundant array of independent disks (RAID), floppydisk drive, flash memory, USB flash drive, external hard disk drive,thumb drive, pen drive, key drive, high-density digital versatile disc(HD-DVD) optical disc drive, internal hard disk drive, Blu-Ray opticaldisc drive, holographic digital data storage (HDDS) optical disc drive,external mini-dual in-line memory module (DIMM), synchronous dynamicrandom access memory (SDRAM), external micro-DIMM SDRAM, smartcardmemory such as a subscriber identity module or a removable user identity(SIM/RUIM) module, other memory, or any combination thereof. Storagemedium 421 may allow UE 400 to access computer-executable instructions,application programs or the like, stored on transitory or non-transitorymemory media, to off-load data, or to upload data. An article ofmanufacture, such as one utilizing a communication system may betangibly embodied in storage medium 421, which may comprise a devicereadable medium.

In FIG. 4 , processing circuitry 401 may be configured to communicatewith network 443 b using communication subsystem 431. Network 443 a andnetwork 443 b may be the same network or networks or different networkor networks. Communication subsystem 431 may be configured to includeone or more transceivers used to communicate with network 443 b. Forexample, communication subsystem 431 may be configured to include one ormore transceivers used to communicate with one or more remotetransceivers of another device capable of wireless communication such asanother WD, UE, or base station of a radio access network (RAN)according to one or more communication protocols, such as IEEE 802.11,CDMA, WCDMA, GSM, LTE, UTRAN, WiMAX, or the like. Each transceiver mayinclude transmitter 433 and/or receiver 435 to implement transmitter orreceiver functionality, respectively, appropriate to the RAN links(e.g., frequency allocations and the like). Further, transmitter 433 andreceiver 435 of each transceiver may share circuit components, softwareor firmware, or alternatively may be implemented separately.

In the illustrated embodiment, the communication functions ofcommunication subsystem 431 may include data communication, voicecommunication, multimedia communication, short-range communications suchas Bluetooth, near-field communication, location-based communicationsuch as the use of the global positioning system (GPS) to determine alocation, another like communication function, or any combinationthereof. For example, communication subsystem 431 may include cellularcommunication, Wi-Fi communication, Bluetooth communication, and GPScommunication. Network 443 b may encompass wired and/or wirelessnetworks such as a local-area network (LAN), a wide-area network (WAN),a computer network, a wireless network, a telecommunications network,another like network or any combination thereof. For example, network443 b may be a cellular network, a Wi-Fi network, and/or a near-fieldnetwork. Power source 413 may be configured to provide alternatingcurrent (AC) or direct current (DC) power to components of UE 400.

The features, benefits and/or functions described herein may beimplemented in one of the components of UE 400 or partitioned acrossmultiple components of UE 400. Further, the features, benefits, and/orfunctions described herein may be implemented in any combination ofhardware, software or firmware. In one example, communication subsystem431 may be configured to include any of the components described herein.Further, processing circuitry 401 may be configured to communicate withany of such components over bus 402. In another example, any of suchcomponents may be represented by program instructions stored in memorythat when executed by processing circuitry 401 perform the correspondingfunctions described herein. In another example, the functionality of anyof such components may be partitioned between processing circuitry 401and communication subsystem 431. In another example, thenon-computationally intensive functions of any of such components may beimplemented in software or firmware and the computationally intensivefunctions may be implemented in hardware.

FIG. 5 is a schematic block diagram illustrating a virtualizationenvironment 500 in which functions implemented by some embodiments maybe virtualized. In the present context, virtualizing means creatingvirtual versions of apparatuses or devices which may includevirtualizing hardware platforms, storage devices and networkingresources. As used herein, virtualization can be applied to a node(e.g., a virtualized base station or a virtualized radio access node) orto a device (e.g., a UE, a wireless device or any other type ofcommunication device) or components thereof and relates to animplementation in which at least a portion of the functionality isimplemented as one or more virtual components (e.g., via one or moreapplications, components, functions, virtual machines or containersexecuting on one or more physical processing nodes in one or morenetworks).

In some embodiments, some or all of the functions described herein maybe implemented as virtual components executed by one or more virtualmachines implemented in one or more virtual environments 500 hosted byone or more of hardware nodes 530. Further, in embodiments in which thevirtual node is not a radio access node or does not require radioconnectivity (e.g., a core network node), then the network node may beentirely virtualized.

The functions may be implemented by one or more applications 520 (whichmay alternatively be called software instances, virtual appliances,network functions, virtual nodes, virtual network functions, etc.)operative to implement some of the features, functions, and/or benefitsof some of the embodiments disclosed herein. Applications 520 are run invirtualization environment 500 which provides hardware 530 comprisingprocessing circuitry 560 and memory 590. Memory 590 containsinstructions 595 executable by processing circuitry 560 wherebyapplication 520 is operative to provide one or more of the features,benefits, and/or functions disclosed herein.

Virtualization environment 500, comprises general-purpose orspecial-purpose network hardware devices 530 comprising a set of one ormore processors or processing circuitry 560, which may be commercialoff-the-shelf (COTS) processors, dedicated Application SpecificIntegrated Circuits (ASICs), or any other type of processing circuitryincluding digital or analog hardware components or special purposeprocessors. Each hardware device may comprise memory 590-1 which may benon-persistent memory for temporarily storing instructions 595 orsoftware executed by processing circuitry 560. Each hardware device maycomprise one or more network interface controllers (NICs) 570, alsoknown as network interface cards, which include physical networkinterface 580. Each hardware device may also include non-transitory,persistent, machine-readable storage media 590-2 having stored thereinsoftware 595 and/or instructions executable by processing circuitry 560.Software 595 may include any type of software including software forinstantiating one or more virtualization layers 550 (also referred to ashypervisors), software to execute virtual machines 540 as well assoftware allowing it to execute functions, features and/or benefitsdescribed in relation with some embodiments described herein.

Virtual machines 540, comprise virtual processing, virtual memory,virtual networking or interface and virtual storage, and may be run by acorresponding virtualization layer 550 or hypervisor. Differentembodiments of the instance of virtual appliance 520 may be implementedon one or more of virtual machines 540, and the implementations may bemade in different ways.

During operation, processing circuitry 560 executes software 595 toinstantiate the hypervisor or virtualization layer 550, which maysometimes be referred to as a virtual machine monitor (VMM).Virtualization layer 550 may present a virtual operating platform thatappears like networking hardware to virtual machine 540.

As shown in FIG. 5 , hardware 530 may be a standalone network node withgeneric or specific components. Hardware 530 may comprise antenna 5225and may implement some functions via virtualization. Alternatively,hardware 530 may be part of a larger cluster of hardware (e.g. such asin a data center or customer premise equipment (CPE)) where manyhardware nodes work together and are managed via management andorchestration (MANO) 5100, which, among others, oversees lifecyclemanagement of applications 520.

Virtualization of the hardware is in some contexts referred to asnetwork function virtualization (NFV). NFV may be used to consolidatemany network equipment types onto industry standard high volume serverhardware, physical switches, and physical storage, which can be locatedin data centers, and customer premise equipment.

In the context of NFV, virtual machine 540 may be a softwareimplementation of a physical machine that runs programs as if they wereexecuting on a physical, non-virtualized machine. Each of virtualmachines 540, and that part of hardware 530 that executes that virtualmachine, be it hardware dedicated to that virtual machine and/orhardware shared by that virtual machine with others of the virtualmachines 540, forms a separate virtual network elements (VNE).

Still in the context of NFV, Virtual Network Function (VNF) isresponsible for handling specific network functions that run in one ormore virtual machines 540 on top of hardware networking infrastructure530 and corresponds to application 520 in FIG. 5 .

In some embodiments, one or more radio units 5200 that each include oneor more transmitters 5220 and one or more receivers 5210 may be coupledto one or more antennas 5225. Radio units 5200 may communicate directlywith hardware nodes 530 via one or more appropriate network interfacesand may be used in combination with the virtual components to provide avirtual node with radio capabilities, such as a radio access node or abase station.

In some embodiments, some signaling can be effected with the use ofcontrol system 5230 which may alternatively be used for communicationbetween the hardware nodes 530 and radio units 5200.

FIG. 6 is a flow chart, which depicts a method in accordance withparticular embodiments, and specifically a method performed by awireless device for calculating a subscription concealed identifier,SUCI. The method begins at step 602 when the wireless device receives amessage indicating a criterion associated with a size of a SUCI. At step604, the wireless device calculates the SUCI based on an encryptionscheme. At step 606, the wireless device determines whether thecalculated SUCI satisfies the criterion associated with the size of theSUCI. At step 608, the wireless device uses the calculated SUCI only ifit is determined that it satisfies the criterion associated with thesize of the SUCI. More specifically, if the wireless device determinesthat the calculated SUCI does not satisfy the criterion associated withthe size of the SUCI (that is, for example, if the size of the SUCIexceeds a maximum size), in certain embodiments the wireless device doesnot send the calculated SUCI to the network. The maximum size may be setbased on the scheme used for calculating the SUCI.

FIG. 7 is a schematic block diagram of a virtual apparatus 700 in awireless network (for example, the wireless network shown in FIG. 3 ).The apparatus may be implemented in a wireless device or network node(e.g., wireless device 310 or network node 360 shown in FIG. 3 ).Apparatus 700 is operable to carry out the example method described withreference to FIG. 8 and possibly any other processes or methodsdisclosed herein. It is also to be understood that the method of FIG. 8is not necessarily carried out solely by apparatus 700. At least someoperations of the method can be performed by one or more other entities.

Virtual Apparatus 700 may comprise processing circuitry, which mayinclude one or more microprocessor or microcontrollers, as well as otherdigital hardware, which may include digital signal processors (DSPs),special-purpose digital logic, and the like. The processing circuitrymay be configured to execute program code stored in memory, which mayinclude one or several types of memory such as read-only memory (ROM),random-access memory, cache memory, flash memory devices, opticalstorage devices, etc. Program code stored in memory includes programinstructions for executing one or more telecommunications and/or datacommunications protocols as well as instructions for carrying out one ormore of the techniques described herein, in several embodiments. In someimplementations, the processing circuitry may be used to cause receivingunit 702, calculating unit 704, determining unit 706, and using unit 708and any other suitable units of apparatus 700 to perform correspondingfunctions according to one or more embodiments of the presentdisclosure.

As illustrated in FIG. 7 , apparatus 700 includes receiving unit 702,for receiving a message indicating a criterion associated with a size ofa SUCI; calculating unit 704, for calculating the SUCI based on anencryption scheme; determining unit 706, for determining whether thecalculated SUCI satisfies the criterion associated with the size of theSUCI; and using unit 708, for using the calculated SUCI only if it isdetermined that it satisfies the criterion associated with the size ofthe SUCI.

The term unit may have conventional meaning in the field of electronics,electrical devices and/or electronic devices and may include, forexample, electrical and/or electronic circuitry, devices, modules,processors, memories, logic solid state and/or discrete devices,computer programs or instructions for carrying out respective tasks,procedures, computations, outputs, and/or displaying functions, and soon, as such as those that are described herein.

FIG. 8 is a flow chart, which depicts a method in accordance withparticular embodiments, and specifically a method performed by a networkfunction to identify an invalid subscription concealed identifier, SUCI.The method comprises:

step 812, receiving a message containing a SUCI;

step 814, determining a size of the SUCI contained in the receivedmessage;

step 816, determining an expected size of the SUCI in the receivedmessage;

step 818, determining whether the size of the SUCI contained in thereceived message satisfies a criterion associated with the expectedsize;

step 820, determining that the SUCI in the received message is invalidif the size of the SUCI contained in the received message does notsatisfy the criterion associated with the expected size; and

step 822, rejecting the SUCI in the received message if it is determinedto be invalid.

FIG. 9 illustrates a schematic block diagram of a virtual apparatus 900in a wireless network (for example, the wireless network shown in FIG. 3). The apparatus may be implemented in a wireless device or network node(e.g., wireless device 310 or network node 360 shown in FIG. 3 ).Apparatus 900 is operable to carry out the example method described withreference to FIG. 8 and possibly any other processes or methodsdisclosed herein. It is also to be understood that the method of FIG. 8is not necessarily carried out solely by apparatus 900. At least someoperations of the method can be performed by one or more other entities.

Virtual Apparatus 900 may comprise processing circuitry, which mayinclude one or more microprocessor or microcontrollers, as well as otherdigital hardware, which may include digital signal processors (DSPs),special-purpose digital logic, and the like. The processing circuitrymay be configured to execute program code stored in memory, which mayinclude one or several types of memory such as read-only memory (ROM),random-access memory, cache memory, flash memory devices, opticalstorage devices, etc. Program code stored in memory includes programinstructions for executing one or more telecommunications and/or datacommunications protocols as well as instructions for carrying out one ormore of the techniques described herein, in several embodiments. In someimplementations, the processing circuitry may be used to cause receivingunit 902, determining unit 904, determining unit 906, determining unit908, determining unit 910, and rejecting unit 912, and any othersuitable units of apparatus 900 to perform corresponding functionsaccording one or more embodiments of the present disclosure.

As illustrated in FIG. 9 , apparatus 900 includes receiving unit 902,for receiving a message containing a SUCI; determining unit 904, fordetermining a size of the SUCI contained in the received message;determining unit 906, for determining an expected size of the SUCI inthe received message; determining unit 908, for determining whether thesize of the SUCI contained in the received message satisfies a criterionassociated with the expected size; determining unit 910, for determiningthat the SUCI in the received message is invalid if the size of the SUCIcontained in the received message does not satisfy the criterionassociated with the expected size; and rejecting unit 912, for rejectingthe SUCI in the received message if it is determined to be invalid.

The term unit may have conventional meaning in the field of electronics,electrical devices and/or electronic devices and may include, forexample, electrical and/or electronic circuitry, devices, modules,processors, memories, logic solid state and/or discrete devices,computer programs or instructions for carrying out respective tasks,procedures, computations, outputs, and/or displaying functions, and soon, as such as those that are described herein.

At least some of the following abbreviations may be used in thisdisclosure. If there is an inconsistency between abbreviations,preference should be given to how it is used above. If listed multipletimes below, the first listing should be preferred over any subsequentlisting(s).

-   -   1×RTT CDMA2000 1× Radio Transmission Technology    -   3GPP 3rd Generation Partnership Project    -   5G 5th Generation    -   ABS Almost Blank Subframe    -   ARQ Automatic Repeat Request    -   AWGN Additive White Gaussian Noise    -   BCCH Broadcast Control Channel    -   BCH Broadcast Channel    -   CA Carrier Aggregation    -   CC Carrier Component    -   CCCH SDU Common Control Channel SDU    -   CDMA Code Division Multiplexing Access    -   CGI Cell Global Identifier    -   CIR Channel Impulse Response    -   CP Cyclic Prefix    -   CPICH Common Pilot Channel    -   CPICH Ec/No CPICH Received energy per chip divided by the power        density in the band    -   CQI Channel Quality information    -   C-RNTI Cell RNTI    -   CSI Channel State Information    -   DCCH Dedicated Control Channel    -   DL Downlink    -   DM Demodulation    -   DMRS Demodulation Reference Signal    -   DRX Discontinuous Reception    -   DTX Discontinuous Transmission    -   DTCH Dedicated Traffic Channel    -   DUT Device Under Test    -   E-CID Enhanced Cell-ID (positioning method)    -   E-SM LC Evolved-Serving Mobile Location Centre    -   ECGI Evolved CGI    -   eNB E-UTRAN NodeB    -   ePDCCH enhanced Physical Downlink Control Channel    -   E-SM LC evolved Serving Mobile Location Center    -   E-UTRA Evolved UTRA    -   E-UTRAN Evolved UTRAN    -   FDD Frequency Division Duplex    -   FFS For Further Study    -   GERAN GSM EDGE Radio Access Network    -   gNB Base station in NR    -   GNSS Global Navigation Satellite System    -   GSM Global System for Mobile communication    -   HARQ Hybrid Automatic Repeat Request    -   HO Handover    -   HSPA High Speed Packet Access    -   HRPD High Rate Packet Data    -   LOS Line of Sight    -   LPP LTE Positioning Protocol    -   LTE Long-Term Evolution    -   MAC Medium Access Control    -   MBMS Multimedia Broadcast Multicast Services    -   MBSFN Multimedia Broadcast multicast service Single Frequency        Network    -   MBSFN ABS MBSFN Almost Blank Subframe    -   MDT Minimization of Drive Tests    -   MIB Master Information Block    -   MME Mobility Management Entity    -   MSC Mobile Switching Center    -   NPDCCH Narrowband Physical Downlink Control Channel    -   NR New Radio    -   OCNG OFDMA Channel Noise Generator    -   OFDM Orthogonal Frequency Division Multiplexing    -   OFDMA Orthogonal Frequency Division Multiple Access    -   OSS Operations Support System    -   OTDOA Observed Time Difference of Arrival    -   O&M Operation and Maintenance    -   PBCH Physical Broadcast Channel    -   P-CCPCH Primary Common Control Physical Channel    -   PCell Primary Cell    -   PCFICH Physical Control Format Indicator Channel    -   PDCCH Physical Downlink Control Channel    -   PDP Profile Delay Profile    -   PDSCH Physical Downlink Shared Channel    -   PGW Packet Gateway    -   PHICH Physical Hybrid-ARQ Indicator Channel    -   PLMN Public Land Mobile Network    -   PMI Precoder Matrix Indicator    -   PRACH Physical Random Access Channel    -   PRS Positioning Reference Signal    -   PSS Primary Synchronization Signal    -   PUCCH Physical Uplink Control Channel    -   PUSCH Physical Uplink Shared Channel    -   RACH Random Access Channel    -   QAM Quadrature Amplitude Modulation    -   RAN Radio Access Network    -   RAT Radio Access Technology    -   RLM Radio Link Management    -   RNC Radio Network Controller    -   RNTI Radio Network Temporary Identifier    -   RRC Radio Resource Control    -   RRM Radio Resource Management    -   RS Reference Signal    -   RSCP Received Signal Code Power    -   RSRP Reference Symbol Received Power OR Reference Signal        Received Power    -   RSRQ Reference Signal Received Quality OR Reference Symbol        Received Quality    -   RSSI Received Signal Strength Indicator    -   RSTD Reference Signal Time Difference    -   SCH Synchronization Channel    -   SCell Secondary Cell    -   SDU Service Data Unit    -   SFN System Frame Number    -   SGW Serving Gateway    -   SI System Information    -   SIB System Information Block    -   SNR Signal to Noise Ratio    -   SON Self Optimized Network    -   SS Synchronization Signal    -   SSS Secondary Synchronization Signal    -   TDD Time Division Duplex    -   TDOA Time Difference of Arrival    -   TOA Time of Arrival    -   TSS Tertiary Synchronization Signal    -   TTI Transmission Time Interval    -   UE User Equipment    -   UL Uplink    -   UMTS Universal Mobile Telecommunication System    -   USIM Universal Subscriber Identity Module    -   UTDOA Uplink Time Difference of Arrival    -   UTRA Universal Terrestrial Radio Access    -   UTRAN Universal Terrestrial Radio Access Network    -   WCDMA Wide CDMA    -   WLAN Wide Local Area Network

What is claimed is:
 1. A method, performed by a network function, toidentify an invalid subscription concealed identifier (SUCI), the methodcomprising the network function: receiving a message containing a SUCI;determining that the SUCI in the received message is invalid when a sizeof the SUCI contained in the received message does not satisfy acriterion associated with an expected size; and rejecting the SUCI inthe received message when the SUCI in the received message is determinedto be invalid.
 2. The method of claim 1, wherein the expected size ofthe SUCI in the received message is based on an encryption scheme usedfor calculating the SUCI.
 3. The method of claim 2, wherein theencryption scheme used for calculating the SUCI is a standardizedencryption scheme.
 4. The method of claim 2, wherein the encryptionscheme used for calculating the SUCI is a proprietary encryption scheme.5. The method of claim 1, wherein the expected size of the SUCI in thereceived message applies to all SUCIs in the network.
 6. The method ofclaim 1, wherein the expected size of the SUCI in the received messageapplies to all SUCIs in a local area of the network.
 7. The method ofclaim 1, further comprising determining the expected size of the SUCI inthe received message based on at least one other factor.
 8. The methodof claim 7, wherein the at least one other factor comprises: time,location, network load, network type, operator information, and/orroaming partner information.
 9. The method of claim 1, wherein thecriterion associated with the expected size comprises a maximum sizethat is greater than the expected size.
 10. The method of claim 1,wherein the criterion associated with the expected size comprises aminimum size that is smaller than the expected size.
 11. The method ofclaim 1, wherein the criterion associated with the expected sizecomprises a size range that encompasses the expected size.
 12. A networknode configured to identify an invalid subscription concealed identifier(SUCI), the network node comprising: processing circuitry; memorycontaining instructions executable by the processing circuitry wherebythe network node is operative to: receive a message containing a SUCI;determine that the SUCI in the received message is invalid when a sizeof the SUCI contained in the received message does not satisfy acriterion associated with an expected size; and reject the SUCI in thereceived message when the SUCI in the received message is determined tobe invalid.
 13. The network node of claim 12, wherein the expected sizeof the SUCI in the received message is based on an encryption schemeused for calculating the SUCI.
 14. The network node of claim 13, whereinthe encryption scheme used for calculating the SUCI is a standardizedencryption scheme.
 15. The network node of claim 12, wherein theexpected size of the SUCI in the received message applies to all SUCIsin the network.
 16. The network node of claim 12, wherein theinstructions are such that the network node is operative to determinethe expected size of the SUCI in the received message based on at leastone other factor.
 17. The network node of claim 16, wherein the at leastone other factor comprises: time, location, network load, network type,operator information, and/or roaming partner information.
 18. Thenetwork node of claim 12, wherein the criterion associated with theexpected size comprises a maximum size that is greater than the expectedsize.
 19. The network node of claim 12, wherein the criterion associatedwith the expected size comprises a minimum size that is smaller than theexpected size.
 20. The network node of claim 12, wherein the criterionassociated with the expected size comprises a size range thatencompasses the expected size.